Source: kedpm Version: 1.0 Severity: grave Tags: upstream security Justification: user security hole
Hello, I've discovered an information leak that can give some hints about what ppl search and read in the password manager. kedpm is creating a history file in ~/.kedpm/history that is written in clear text. All of the commands that are done in the password manager are writted there. This also means that if someone uses the "password" command with the password as an argument to change the database's master password, the new password gets leaked in plaintext to that file! The issue was already reported upstream[0]. However, the upstream project seems to be unmoving since a couple of years already. [0]: https://sourceforge.net/p/kedpm/bugs/6/ I've discovered the bug in wheezy, so in 0.5.0 but the same problem applies to later releases. -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_CA.utf8, LC_CTYPE=en_CA.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_CA.utf8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)